Spam drop could boost Trojan attacks

After rogue ISP McColo was taken offline global spam was estimated to have dropped from 50 to 80 percent, but spammers are starting to reconstitute botnets elsewhere

By John E. Dunn

Techworld.com|Nov 17, 2008

The dramatic fall in spam traffic reported last week after alleged rogue ISP McColo was taken offline will only be a temporary reprieve and could actually generate a new wave of Trojans, experts have warned.

ISPs disagree on the global percentage drop caused by the shuttering of California-based McColo last Tuesday, with estimates given by those contacted by Techworld ranging from 50 to 80 percent, but even the lower figure is still an unprecedented fall in such a short space of time. It appears that even those who were aware of its use as a hosting port had not guessed that a single ISP could be behind such a huge chunk of the world's spam.

"Our servers haven't been so relaxed for months," said Richard Cox, CIO of respected spam-fighting organisation, Spamhaus, ruefully. "This proves how important it is for the law to get at this sort of criminality."

Nevertheless, Cox doubted that the improvement would last long, and could actually lead to a rise in Trojan attacks as spammers using McColo to host botnet control infrastructure, attempted to reconstitute their networks elsewhere in the coming weeks.

Paul Wood of MessageLabs said his company had also seen spam dipping sharply, which had hit specific troublesome botnets hard.

"We documented a massive drop in spam volume to levels, eight times less than typical volumes for a period of 12 hours, immediately following the takedown before spam levels began to rise again," he said.

"Further analysis of our metrics would suggest there has been an 80 percent drop from Mega-D and 60 percent from Srizbi; Rustock is down by 50 percent and Asprox down by 80 percent. Overall botnet traffic has reduced by approximately 30 percent in the 24 hours following the takedown."

In fact, McColo was the third ISP of significance to the criminal world to face disruption in a matter of weeks, he said, referring in particular to the de-peering of Intercage by ISPs in September.

How the botnet controllers reacted in the coming weeks would depend on how easily they could regain control of compromised, "zombie" PCs. If that proved hard, it was possible that new PCs would need to be hit with Trojans in order to start new botnets from scratch.

"It depends on the botnet in question and whether the bad IPs at McColo can be re-activeated by another rogue ISP sooner or later," he said.

Adam O'Donnell of Cloudmark was less convinced that the reduction in spam volumes held much significance for the average user, especially business users sitting behind filtered connections.

"We have seen a drop in IP connection attempts that would have been dropped anyway," he said. "This is not like cleaning up a mess in the street," and the problem would return once the botnetters had found new hosters. "I give it two weeks," he said.

Despite the relentlessly upward movement in spam volumes over time, the occasional fall is not unheard of, with a single botnet going offline reportedly reducing traffic in early 2007.

According to Ed Rowley of recently merged spam filtering outfit Marshal8e6, McColo could have a positive long-term effect in at least one way, that of convincing the authorities that tacking spam was now possible. In the past, the industry had been reluctant to shut down other ISPs, regardless of evidence of wrongdoing, but this might now change.

"There is a strong feeling that this [closing problem ISPs] is not a bad thing," he said.